German Case Shows GDPR Nuances in Online Background Checks: Lawyer
There’s no substitute for openness, clear communication and specificity where privacy regulation is concerned, Orrick lawyer Christian Schroder wrote, as was demonstrated by rulings in Germany in June involving GDPR regulations. In addition, the rulings showed that an organization gathering data from public sources about a job candidate could put it out of compliance, though that might not force the hiring of a wronged candidate, Schroder said in a blog post this week.
Sign up for a free preview to unlock the rest of this article
Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.
He urged GDPR-covered organizations to conduct online searches on job candidates only when they can provide a specific reason for it. That means “companies may not want to do public searches on every applicant,” he wrote.
Moreover, they should be specific about background checks on applicants and provide candidates with precise privacy notices, describing “all potential avenues of gathering information."
In the case, a German university conducted an online search about an attorney who was seeking employment in its law school. It ultimately rejected the applicant after discovering his pending conviction for attempted fraud. The applicant sued, claiming the school conducted illegal data processing and was in violation of GDPR Article 82(1) because it conducted “a general search,” not one aimed at researching his criminal background.
The applicant also said the school didn't inform him about the online search for his criminal activities or ask him about them during an oral interview. As a result, he said he’d lost control of his data and had his privacy violated.
The university responded that an online search of publicly accessible data was justified and relevant to evaluate the applicant, in part because of his pending criminal proceedings.
Labor courts for Germany and Dusseldorf weighed in on the case. While the Dusseldorf court ruled that the online search was permitted under the GDPR since it was necessary to determine the applicant’s suitability for a job, Schroder said it avoided ruling on whether “background checks without specific cause are generally justified.”
He also noted the Dusseldorf court's decision that the school violated GDPR Article 14 when it failed to inform the applicant “of the categories of personal data within the meaning of Article 14(1)(d) GDPR that it had processed.” The school further violated the law when it failed to mention to the applicant that his criminal case could make him unsuitable for the job.
The court awarded the applicant 1,000 euros ($1,200) in damages. The federal court upheld that award, Schroder wrote, but unlike the Dusseldorf court, it found that “multiple GDPR violations occurred,” including collecting data about the applicant’s criminal proceedings without a valid legal basis under Articles 6 and 10.
However, the federal court argued that the applicant’s legal case faltered because he was unable to show that the GDPR violations disqualified him for the job, Schroder said. Instead, “objectively justified doubts” about his suitability hurt his candidacy.
Still, the school had “reduced the applicant to a mere object of the processing, undermining his personal dignity and causing a substantial loss of control,” Schroder wrote, justifying the 1,000 euro award.